On Jan 19, 2012, Ted Wynnychenko wrote: > Hello
Hello Ted, > I downloaded/configure/installed fwknop 2.0 on openbsd 4.9 > > I modified the fwknopd.conf: > > PCAP_INTF bge0; > PCAP_FILTER udp dst portrange 10000-65535; > MAX_SPA_PACKET_AGE 300; > PF_EXPIRE_INTERVAL 120; > > I added to access.conf: > > SOURCE: ANY; > OPEN_PORTS: tcp/22; > REQUIRE_USERNAME: myname; > FW_ACCESS_TIMEOUT: 120; > KEY: secret; > > And, finally, added an anchor to pf.conf: > > anchor fwknop All of the above looks good. I'm assuming that you have left the PF_ANCHOR_NAME variable as the default (commented out) in the fwknopd.conf file? The default value is just "fwknop". > Reloaded (and even rebooted) the rules with pfctl. > > The anchor is present; "pfctl -s all" reveals: 'anchor "fwknop" all' in > the list of "FILTER RULES". > > However, trying "fwknopd -v -f" gives: > > Starting fwknopd > Using Digest Cache: '/usr/local/var/run/fwknop/digest.cache' (entry count = > 0) > Warning: the fwknop anchor is not active in the pf policy > > And the fwknopd process dies. > > So, what did I miss? The check that fwknopd does for the "fwknop" anchor is fairly basic. It parses the output of "pfctl -s rules" for the string "anchor "fwknop" " (external quotes not part of the search, but the internal ones are, and the trailing space too). It first checks for this string at the very beginning of the output of "pfctl -s rules", and if it's not there, then it check for the same string but only after a newline character. You might try putting the anchor at the very top of the filter rules section, and also try putting it after the first rule. This will exercise the logic above. Can you send me the "pfctl -s rules" output (IP's removed)? Other than replacing the IP's with "N.N.N.N" if you could leave the rest of the output unchanged that would be great. Thanks, --Mike > Any help would be appreciated. > > Thanks > > Bye - ted > > > > ------------------------------------------------------------------------------ > Keep Your Developer Skills Current with LearnDevNow! > The most comprehensive online learning library for Microsoft developers > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, > Metro Style Apps, more. Free future releases when you subscribe now! > http://p.sf.net/sfu/learndevnow-d2d > _______________________________________________ > Fwknop-discuss mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Fwknop-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
